Open Security Group Advisory #6

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Open Security Group Advisory #6
From: <c0ntex@xxxxxxxxxxxxxxxxx>
Date: 17 Aug 2004 16:41:01 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


List,
 
In May, Open Security Group started a media player security audit to drive out 
defects in popular media player code with the hope
of helping secure our networks, machines and users from malicious attackers.
 
As the second stage of this project, I released an advisory on August 8th, 
2004, regarding a new local && remote vulnerability in
Xine Media Player [www.xinehq.de] that will allow for an attacker to execute 
code on a Linux / UNIX machine running the player. This vulnerability is very 
similar to the bug I found in MPlayer, details of which can be found at the 
following links:
 
http://open-security.org/advisories/5
http://www.techworld.com/opsys/news/index.cfm?NewsID=2027
http://www.securityfocus.com/archive/1/367301/2004-06-23/2004-06-29/0
 
 
Sadly, I received the standard email from the Bugtraq mailing list stating that 
the message had not been actioned and as such was
returned.... so I can?t understand why my work ended up in the 
securityfocus.com vulnerability archive, yet it was not shared with the 
subscibing community. Selective information dissemination is not very helpful.
 
        http://securityfocus.com/bid/10890/info/
 
 
Now since this vulnerability is just as serious as the Mplayer bug, I can?t see 
any good reason why this information should be withheld from the community any 
longer. Therefore, I am again hoping to rely on Bugtraq maintainers seeing fit 
to post my advisory to the community so that they too can benifit from having 
this important information.
 
Just in case this post does not adhere to the ?securityfocus standard? which 
is... I have no idea.... I have also posted this message to the full-disclosure 
group.
 
My original Xine advisory can be found for your perusal at the following links:
 
        http://open-security.org/advisories/6
 
        http://secunia.com/advisories/12194/
        http://secwatch.org/advisories/1008390
        http://xforce.iss.net/xforce/xfdb/16930
        http://securiteam.com/unixfocus/5MP042KDPQ.html
        http://packetstormsecurity.nl/filedesc/Xines_Mine.c.html
 
 
---
 
Thanks and regards.
 
c0ntex
Open Security Group
http://www.Open-Security.org

Prev by Date: Re: SQL Injection in CACTI
Next by Date: SHA-0 Broken, MD5 Rumored Broken
Previous by thread: CESA-2004-004: qt
Next by thread: SHA-0 Broken, MD5 Rumored Broken
Index(es):
- Date
- Thread